MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Gleb Shchepa Date:January 21 2009 6:13am
Subject:bzr commit into mysql-5.1-bugteam branch (gshchepa:2748) Bug#42188
View as plain text  
#At file:///work/bzr/5.1-42188/ based on revid:timothy.smith@stripped

 2748 Gleb Shchepa	2009-01-21
      Bug#42188: crash and/or memory corruption with user variables 
                 in trigger
      
      Interchangeable calls to the mysql_change_user client function 
      and invocations of a trigger changing some user variable caused 
      a memory corruption and a crash.
      
      The mysql_change_user API call forces TDH::cleanup() on a server 
      that frees user variable entries.
      However it didn't reset Item_func_set_user_var::entry to NULL 
      because Item_func_set_user_var::cleanup() was not overloaded.
      So, Item_func_set_user_var::entry held a pointer to freed memory,
      that caused a crash.
      
      The Item_func_set_user_var::cleanup method has been overloaded
      to cleanup the Item_func_set_user_var::entry field.
modified:
  mysql-test/r/user_var.result
  mysql-test/t/user_var.test
  sql/item_func.cc
  sql/item_func.h

per-file messages:
  mysql-test/r/user_var.result
    Added test case for bug #42188.
  mysql-test/t/user_var.test
    Added test case for bug #42188.
  sql/item_func.cc
    Bug#42188: crash and/or memory corruption with user variables
               in trigger
               
    The Item_func_set_user_var::cleanup method has been overloaded
    to cleanup the Item_func_set_user_var::entry field.
  sql/item_func.h
    Bug#42188: crash and/or memory corruption with user variables
               in trigger
               
    The Item_func_set_user_var::cleanup method has been overloaded
    to cleanup the Item_func_set_user_var::entry field.
=== modified file 'mysql-test/r/user_var.result'
--- a/mysql-test/r/user_var.result	2008-09-18 08:38:44 +0000
+++ b/mysql-test/r/user_var.result	2009-01-21 06:13:26 +0000
@@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid :
 0	3	3
 1	3	4
 drop table t1;
+CREATE TABLE t1 (i INT);
+CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
+INSERT INTO t1 VALUES (1);
+INSERT INTO t1 VALUES (1);
+DROP TABLE t1;
 End of 5.1 tests

=== modified file 'mysql-test/t/user_var.test'
--- a/mysql-test/t/user_var.test	2008-09-18 08:38:44 +0000
+++ b/mysql-test/t/user_var.test	2009-01-21 06:13:26 +0000
@@ -285,4 +285,15 @@ set @lastid=-1;
 select @lastid != id, @lastid, @lastid := id from t1;
 drop table t1;
 
+#
+# Bug#42188: crash and/or memory corruption with user variables in trigger
+#
+
+CREATE TABLE t1 (i INT);
+CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
+INSERT INTO t1 VALUES (1);
+--change_user
+INSERT INTO t1 VALUES (1);
+DROP TABLE t1;
+
 --echo End of 5.1 tests

=== modified file 'sql/item_func.cc'
--- a/sql/item_func.cc	2009-01-16 15:38:38 +0000
+++ b/sql/item_func.cc	2009-01-21 06:13:26 +0000
@@ -3808,6 +3808,13 @@ static user_var_entry *get_variable(HASH
 }
 
 
+void Item_func_set_user_var::cleanup()
+{
+  Item_func::cleanup();
+  entry= NULL;
+}
+
+
 bool Item_func_set_user_var::set_entry(THD *thd, bool create_if_not_exists)
 {
   if (entry && thd->thread_id == entry_thread_id)

=== modified file 'sql/item_func.h'
--- a/sql/item_func.h	2009-01-16 15:38:38 +0000
+++ b/sql/item_func.h	2009-01-21 06:13:26 +0000
@@ -1357,6 +1357,7 @@ public:
   void save_org_in_field(Field *field) { (void)save_in_field(field, 1, 0); }
   bool register_field_in_read_map(uchar *arg);
   bool set_entry(THD *thd, bool create_if_not_exists);
+  void cleanup();
 };
 
 

Thread
bzr commit into mysql-5.1-bugteam branch (gshchepa:2748) Bug#42188Gleb Shchepa21 Jan